cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7422
Views
0
Helpful
6
Replies

ASA L2L VPN tunnel fails encryption process

kredwin74
Level 1
Level 1

I have 2 tunnels that work fine. I tried adding a third tunnel. When I go to test it in packet tracer I get a failure at the second vpn lookup which is encryption. When packet tracing the other two tunnels, they look identical except they don't fail. I did this in asdm. I then pulled the config and compared the new tunnel with the old ones, and they are all parallel, so this makes no sense.

6 Replies 6

Hi,

What's the failure with the third tunnel exactly? Phase 1, Phase 2?

Could you post the relevant part of the configs?

The problem could be related to routing or NAT perhaps or even VPN configuration.

Federico.

Tunnel 192.168.1.50 to 10.1.1.37 works, peer 216.187.131.9

I created another tunnel 192.168.1.51 to 10.1.1.37 not working, peer 216.187.131.19

S* 0.0.0.0 0.0.0.0 [1/0] via 217.19.23.1, outside

C 192.168.0.0 255.255.254.0 is directly connected, inside-servers

access-list Outside-In extended permit ip host 192.168.1.50 host 10.1.1.37

access-list Outside-In extended permit ip host 192.168.1.51 host 10.1.1.37

access-list outside_nat0_outbound extended permit ip host 192.168.1.50 host 10.1.1.37

access-list outside_nat0_outbound extended permit ip host 192.168.1.51 host 10.1.1.37

access-list inside-servers_nat0_outbound extended permit ip host 192.168.1.50 host 10.1.1.37

access-list inside-servers_nat0_outbound extended permit ip host 192.168.1.51 host 10.1.1.37

access-list outside_cryptomap extended permit ip host 192.168.1.50 host 10.1.1.37

access-list outside_cryptomap_1 extended permit ip host 192.168.1.51 host 10.1.1.37

crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set peer 216.187.131.9

crypto map outside_map 2 set transform-set ESP-AES-128-SHA

crypto map outside_map 2 set security-association lifetime seconds 86400

crypto map outside_map 3 match address outside_cryptomap_1

crypto map outside_map 3 set peer 216.187.131.19

crypto map outside_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

tunnel-group 216.187.131.9 type ipsec-l2l

tunnel-group 216.187.131.9 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

tunnel-group 216.187.131.19 type ipsec-l2l

tunnel-group 216.187.131.19 ipsec-attributes

pre-shared-key *

GOOD VPN:

packet-tracer input inside-servers icmp 192.168.1.50 0 0 10.1.1.37

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside-servers_access_in in interface inside-servers

access-list inside-servers_access_in extended permit icmp any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside-servers host 192.168.1.50 outside host 10.1.1.37

NAT exempt

translate_hits = 18817, untranslate_hits = 70143

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside-servers,inside-IT) 192.168.0.0 192.168.0.0 netmask 255.255.254.0

match ip inside-servers 192.168.0.0 255.255.254.0 inside-IT any

static translation to 192.168.0.0

translate_hits = 65266, untranslate_hits = 460676

Additional Information:

Phase: 10

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside-servers) 101 0.0.0.0 0.0.0.0

match ip inside-servers any outside any

dynamic translation to pool 101 (207.191.231.2 [Interface PAT])

translate_hits = 7092125, untranslate_hits = 76745

Additional Information:

Phase: 11

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 159410518, packet dispatched to next module

Result:

input-interface: inside-servers

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

BAD VPN:

packet-tracer input inside-servers icmp 192.168.1.51 0 0 10.1.1.37

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside-servers_access_in in interface inside-servers

access-list inside-servers_access_in extended permit icmp any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside-servers host 192.168.1.51 outside host 10.1.1.37

NAT exempt

translate_hits = 3, untranslate_hits = 0

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside-servers,inside-IT) 192.168.0.0 192.168.0.0 netmask 255.255.254.0

match ip inside-servers 192.168.0.0 255.255.254.0 inside-IT any

static translation to 192.168.0.0

translate_hits = 64939, untranslate_hits = 459214

Additional Information:

Phase: 10

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside-servers) 101 0.0.0.0 0.0.0.0

match ip inside-servers any outside any

dynamic translation to pool 101 (207.191.231.2 [Interface PAT])

translate_hits = 7091904, untranslate_hits = 76744

Additional Information:

Phase: 11

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside-servers

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Both tunnels go to the same peer IP 216.187.131.19
The only difference is the interesting traffic.
There's no need to create two tunnels (in fact it would not work)
What you need is to create a single tunnel to the peer 216.187.131.19 and have the crypto ACL
with both connections

So for instance only this tunnel:
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer 216.187.131.9
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400

access-list outside_cryptomap extended permit ip host 192.168.1.50 host 10.1.1.37
access-list outside_cryptomap extended permit ip host 192.168.1.51 host 10.1.1.37

And get rid of the configuration for the other tunnel.

Federico.

The peers are different one is 9 the other is 19:

Tunnel 192.168.1.50 to 10.1.1.37 works, peer 216.187.131.9

I created another tunnel 192.168.1.51 to 10.1.1.37 not working, peer 216.187.131.19

Sorry, I missed that you're right the public IPs are different, so you need two tunnels.

My question now is... you're trying to access the same IP through the tunnel, why is that?

Is the same device that you're trying to access (via two different locations)?

It seems that's the problem, because you're attempting to send traffic to the same host through two different tunnels.

If the first tunnel is already established, the second tunnel won't encrypt traffic to the same host.

Federico.

It should work because I'm specifying interesting traffic from another server even if the endpoint is t

echnically the same IP, it is located at another location, so the two are mutually exclusive private IP's. But just for the sake of difference I changed it so they're different, but still same problem.

Tunnel 192.168.1.50 to 10.1.1.37 works, peer 216.187.131.9

I created another tunnel 192.168.1.51 to 10.1.1.36 not working, peer 216.187.131.19

What now?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: